Welcome to Soraha ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational gaming platform.
Data Controller: Soraha Educational Platform Contact Email: privacy@soraha.org Jurisdiction: Kenya
Information We Collect
Personal Information
Student Information: First name, last name, email address, grade level, subjects, school information
Account Credentials: Passwords (hashed), PINs for student access
Educational Performance Data
Game session results (scores, completion status, time spent)
Question responses and accuracy rates
Learning progress and performance trends
Badges, certificates, and achievements earned
Learning streaks and engagement metrics
Technical Information
Device identifiers and fingerprints (for anonymous users)
IP addresses and user agent information
Session tokens and authentication data
Connection codes and relationships between users
Usage Information
Game sessions started and completed
Time spent on the platform
Features accessed and interactions
Referral codes and connections
How We Use Your Data
We use the information we collect for the following purposes:
Performance Monitoring: Track and analyze student learning progress, identify areas for improvement, and provide personalized feedback
Game Improvement: Enhance game features, fix bugs, and optimize user experience based on usage patterns
Personalized Recommendations: Suggest educational content, question sets, and learning paths tailored to individual student needs
Account Management: Create and manage user accounts, authenticate users, and maintain security
Educational Support: Enable teachers and guardians to monitor student progress and provide appropriate support
Communication: Send important notifications, updates, and educational content (with your consent)
Compliance: Meet legal obligations and respond to data protection requests
Legal Basis for Processing
We process your personal data based on the following legal bases:
Consent: You have given explicit consent for data processing (via Terms & Conditions acceptance)
Educational Purpose: Processing is necessary for the provision of educational services
Legitimate Interest: Improving our platform, ensuring security, and preventing fraud
Parental/Guardian Consent: For users under 18, we rely on parental or guardian consent (through teacher or guardian connections)
Legal Obligation: Complying with applicable laws and regulations, including Kenya's Data Protection Act
Data Sharing & Third Parties
We do not sell your personal information. We may share your data only in the following circumstances:
Teachers & Educational Institutions: Share student performance data with authorized teachers and school administrators for educational purposes
Parents/Guardians: Share student data with linked guardians who have been granted access
Service Providers: Share with trusted third-party service providers who assist in platform operation (hosting, email services) under strict confidentiality agreements
Legal Requirements: Disclose data when required by law, court order, or government regulation
Platform Safety: Share data to protect our rights, prevent fraud, or ensure user safety
Note: We require all third parties to maintain appropriate security measures and use data only for specified purposes.
Data Security Measures
We implement comprehensive security measures to protect your data:
Encryption: All passwords are hashed using bcrypt before storage
Secure Connections: All data transmission uses HTTPS/TLS encryption
Access Controls: Role-based access controls restrict data access to authorized personnel only
Database Security: MongoDB databases are secured with authentication and network restrictions
Regular Audits: Periodic security reviews and vulnerability assessments
Data Minimization: We only collect and retain data necessary for our services
Data Retention Periods
We retain your data only for as long as necessary:
Active Accounts: Data is retained while your account is active and for educational purposes
Inactive Accounts: Data may be retained for up to 2 years after account inactivity for educational records
Deletion Requests: Upon verified deletion request, data is removed within 30 days, except where legally required to retain
Anonymous Data: Aggregated, anonymized data may be retained indefinitely for analytics purposes
Legal Requirements: Some data may be retained longer if required by law or for legitimate educational purposes
Your Rights
Under Kenya's Data Protection Act, you have the following rights:
Right to Access: Request a copy of all personal data we hold about you
Right to Rectification: Request correction of inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data (subject to legal obligations)
Right to Object: Object to processing of your data for specific purposes
Right to Restrict Processing: Request limitation of how we process your data
Right to Data Portability: Request your data in a structured, machine-readable format
Right to Withdraw Consent: Withdraw consent at any time (does not affect past processing)
To exercise these rights, please visit our Data Management Dashboard or contact us at privacy@soraha.org
Children's Privacy & Guardian Consent
Soraha is designed for educational use and may be used by children under 18. We take special care to protect children's privacy:
Parental/Guardian Consent Requirement: Children can only access our platform with consent from a parent, guardian, or authorized teacher. Teachers MUST obtain explicit parental consent BEFORE sharing connection codes with students. By providing a connection code, teachers certify that they have obtained prior consent from the child's parent or guardian.
Connection-Based Consent: When a student connects via a teacher code or guardian code, that connection serves as the consent mechanism. However, for teacher connections, this assumes the teacher has already obtained parental consent.
Teacher Responsibility: Teachers are required to obtain written or verbal consent from parents/guardians before distributing connection codes. Teachers must maintain records of this consent where required by their school or local regulations.
Educational Context: While teachers act in educational capacity with school authorization (standard practice in Kenyan educational context), they must ensure parental consent is obtained first.
Limited Data Collection: We only collect data necessary for educational purposes
Parental Access: Guardians with linked accounts can view their child's educational data and may request access or deletion at any time
Data Protection: All children's data is subject to the same security measures as adult data
Parents or guardians can request access to or deletion of their child's data at any time.
International Data Transfers
Your data is primarily stored and processed in Kenya. If we transfer data internationally, we ensure:
Adequate data protection measures are in place
Recipient countries have adequate data protection laws or we use appropriate safeguards
Transfers are necessary for service provision or with your explicit consent
Changes to Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
We will update the "Last updated" date at the top of this page
Material changes will be communicated via email or platform notifications
Continued use of our platform after changes constitutes acceptance of the updated policy
If you do not agree with changes, you may withdraw consent and request data deletion
Contact Information
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Data Protection Officer: Email: privacy@soraha.org Address: Soraha Educational Platform, Kenya